Given an incident, utilize appropriate data sources to support an investigation

Question 1

Vulnerability scan output

Answer 1

A vulnerability scan report is another important source when determining how an attack might have been made. The scan engine might log or alert when a scan report contains vulnerabilities. The report can be analyzed to identify vulnerabilities that have not been patched or configuration weaknesses that have not been remediated. These can be correlated to recently developed exploits.

Question 2

SIEM dashboards
SECURITY AND INFORMATION EVENT MANAGEMENT
A console presenting selected information in an easily digestible format, such as a visualization.

Answer 2

Sensor
Sensitivity
Trends
Alerts
Correlation

Question 3

Sensor

Answer 3

A sensor is a network tap or port mirror that performs packet capture and intrusion detection. One of the key uses of a SIEM is to aggregate data from multiple sensors and log sources, but it might also be appropriate to configure dashboards that show output from a single sensor or source host.

Question 4

Sensitivity

Answer 4

One of the greatest challenges in operating a SIEM is tuning the system sensitivity to reduce false positive indicators being reported as an event. This is difficult firstly because there isn’t a simple dial to turn for overall sensitivity, and secondly because reducing the number of rules that produce events increases the risk of false negatives. A false negative is where indicators that should be correlated as an event and raise an alert are ignored.

Question 5

Trends

Answer 5

The process of detecting patterns within a dataset over time, and using those patterns to make predictions about future events or better understand past events.

Question 6

Alerts

Answer 6

Alert—the event is listed on a dashboard or incident handling system for an agent to assess. The agent classifies the event and either dismisses it to the log or escalates it as an incident.

Question 7

Correlation

Answer 7

The SIEM can then run correlation rules on indicators extracted from the data sources to detect events that should be investigated as potential incidents. You can also filter or query the data based on the type of incident that has been reported.

Correlation means interpreting the relationship between individual data points to diagnose incidents of significance to the security team. A SIEM correlation rule is a statement that matches certain conditions. These rules use logical expressions, such as AND and OR, and operators, such as == (matches), < (less than), > (greater than), and in (contains). For example, a single-user logon failure is not a condition that should raise an alert. Multiple user logon failures for the same account, taking place within the space of one hour, is more likely to require investigation and is a candidate for detection by a correlation rule.

Question 8

Log files

Answer 8

Network
System
Application
Security
Web
DNS
Authentication
Dump files
VoIP and call managers
Session Initiation Protocol (SIP) traffic

Question 9

Network

Answer 9

Network logs are generated by appliances such as routers, firewalls, switches, and access points. Log files will record the operation and status of the appliance itself—the system log for the appliance—plus traffic and access logs recording network behavior, such as a host trying to use a port that is blocked by the firewall, or an endpoint trying to use multiple MAC addresses when connected to a switch.

Question 10

System

Answer 10

System—events generated by the operating system and its services, such as storage volume health checks.

Question 11

Application

Answer 11

Application—events generated by applications and services, such as when a service cannot start.

Question 12

Security

Answer 12

Security—audit events, such as a failed logon or access to a file being denied.

Question 13

Web

Answer 13

Web servers are typically configured to log HTTP traffic that encounters an error or traffic that matches some predefined rule set. Most web servers use the common log format (CLF) or W3C extended log file format to record the relevant information.

The status code of a response can reveal quite a bit about both the request and the server’s behavior. Codes in the 400 range indicate client-based errors, while codes in the 500 range indicate server-based errors. For example, repeated 403 (“Forbidden”) responses may indicate that the server is rejecting a client’s attempts to access resources they are not authorized to. A 502 (“Bad Gateway”) response could indicate that communications between the target server and its upstream server are being blocked, or that the upstream server is down.

In addition to status codes, some web server software also logs HTTP header information for both requests and responses. This can provide you with a better picture of the makeup of each request or response, such as cookie information and MIME types. Another header field of note is the User-Agent field, which identifies the type of application making the request. In most cases, this is the version of the browser that the client is using to access a site, as well as the client’s operating system. However, this can be misleading, as even a browser like Microsoft Edge includes versions of Google Chrome and Safari in its User-Agent string. Therefore, the User-Agent field may not be a reliable indicator of the client’s environment.

Question 14

DNS

Answer 14

A DNS server may log an event each time it handles a request to convert between a domain name and an IP address. DNS event logs can hold a variety of information that may supply useful security intelligence, such as:

The types of queries a host has made to DNS.
Hosts that are in communication with suspicious IP address ranges or domains.
Statistical anomalies such as spikes or consistently large numbers of DNS lookup failures, which may point to computers that are infected with malware, misconfigured, or running obsolete or faulty applications.

Question 15

Authentication

Answer 15

Authentication attempts for each host are likely to be written to the security log. You might also need to inspect logs from the servers authorizing logons, such as RADIUS and TACACS+ servers or Windows Active Directory (AD) servers.

Question 16

Dump files

Answer 16

System memory contains volatile data. A system memory dump creates an image file that can be analyzed to identify the processes that are running, the contents of temporary file systems, registry data, network connections, cryptographic keys, and more. It can also be a means of accessing data that is encrypted when stored on a mass storage device.

Question 17

VoIP and call managers

Answer 17

Many VoIP systems use the Session Initiation Protocol (SIP) to identify endpoints and setup calls. The call content is transferred using a separate protocol, typically the Real Time Protocol (RTP). VoIP protocols are vulnerable to most of the same vulnerabilities and exploits as web communications. Both SIP and RTP should use the secure protocol forms, where endpoints are authenticated and communications protected by Transport Layer Security (TLS).

The call manager is a gateway that connects endpoints within the local network and over the Internet. The call manager is also likely to implement a media gateway to connect VoIP calls to cellphone and landline telephone networks. SIP produces similar logs to SMTP, typically in the common log format.A SIP log will identify the endpoints involved in a call request, plus the type of connection (voice only or voice with video, for instance), and status messaging. When handling requests, the call manager and any other intermediate servers add their IP address in a Via header, similar to per-hop SMTP headers.Inspecting the logs might reveal evidence of a man-in-the-middle attack where an unauthorized proxy is intercepting traffic. VoIP systems connected to telephone networks are also targets for toll fraud. The call manager’s access log can be audited for suspicious connections.

Question 18

Session Initiation Protocol (SIP) traffic

Answer 18

What is SIP? The Session Initiation Protocol is a signaling protocol that enables the Voice Over Internet Protocol (VoIP) by defining the messages sent between endpoints and managing the actual elements of a call. SIP supports voice calls, video conferencing, instant messaging, and media distribution.

Question 19

syslog/rsyslog/syslog-ng

Answer 19

A protocol enabling different appliances and software applications to transmit logs or event records to a central server.

There have been two updates to the original syslog specification:

Rsyslog uses the same configuration file syntax, but can work over TCP and use a secure connection. Rsyslog can use more types of filter expressions in its configuration file to customize message handling.
Syslog-ng uses a different configuration file syntax, but can also use TCP/secure communications and more advanced options for message filtering.

Question 20

journalctl

Answer 20

In Linux, text-based log files of the sort managed by syslog can be viewed using commands such as cat, tail, and head. Most modern Linux distributions now use systemd to initialize the system and to start and manage background services. Rather than writing events to syslog-format text files, logs from processes managed by systemd are written to a binary-format file called journald. Events captured by journald can be forwarded to syslog. To view events in journald directly, you can use the journalctl command to print the entire journal log, or you can issue various options with the command to filter the log in a variety of ways, such as matching a service name or only printing messages matching the specified severity level.

Question 21

nxlog

Answer 21

NXlog (nxlog.co) is an open-source log normalization tool. One principal use for it is to collect Windows logs, which use an XML-based format, and normalize them to a syslog format.

Question 22

Bandwidth monitors

Answer 22

Bandwidth usage can be a key indicator of suspicious behavior, if you have reliable baselines for comparison. Unexpected bandwidth consumption could be evidence of a data exfiltration attack, for instance. Bandwidth usage can be reported by flow collectors. Firewalls and web security gateways are also likely to support bandwidth monitoring and alerting.

Question 23

Metadata

Answer 23

Email
Mobile
Web
File

Question 24

Email

Answer 24

An email’s Internet header contains address information for the recipient and sender, plus details of the servers handling transmission of the message between them. When an email is created, the mail user agent (MUA) creates an initial header and forwards the message to a mail delivery agent (MDA). The MDA should perform checks that the sender is authorized to issue messages from the domain. Assuming the email isn’t being delivered locally at the same domain, the MDA adds or amends its own header and then transmits the message to a message transfer agent (MTA). The MTA routes the message to the recipient, with the message passing via one or more additional MTAs, such as SMTP servers operated by ISPs or mail security gateways. Each MTA adds information to the header.

Headers aren’t exposed to the user by most email applications, which is why they’re usually not a factor in an average user’s judgment. You can view and copy headers from a mail client via a message properties/options/source command. MTAs can add a lot of information in each received header, such as the results of spam checking. If you use a plaintext editor to view the header, it can be difficult to identify where each part begins and ends. Fortunately, there are plenty of tools available to parse headers and display them in a more structured format. One example is the Message Analyzer tool, available as part of the Microsoft Remote Connectivity Analyzer (testconnectivity.microsoft.com/tests/o365). This will lay out the hops that the message took more clearly and break out the headers added by each MTA.

Question 25

Mobile

Answer 25

Mobile phone metadata comprises call detail records (CDRs) of incoming, outgoing, and attempted calls and SMS text time, duration, and the opposite party’s number. Metadata will also record data transfer volumes. The location history of the device can be tracked by the list of cell towers it has used to connect to the network. If you are investigating a suspected insider attack, this metadata could prove a suspect’s whereabouts. Furthermore, AI-enabled analysis (or patient investigation) can correlate the opposite party numbers to businesses and individuals through other public records.

CDRs are generated and stored by the mobile operator. The retention period for CDRs is determined by national and state laws, but is typically around 18 months. CDRs are directly available for corporate-owned devices, where you can request them from the communications provider as the owner of the device. Metadata for personally owned devices would only normally be accessible by law enforcement agencies by subpoena or with the consent of the account holder. An employment contract might require an employee to give this consent for bring your own device (BYOD) mobiles used within the workplace.

Question 26

Web

Answer 26

When a client requests a resource from a web server, the server returns the resource plus headers setting or describing its properties. Also, the client can include headers in its request. One key use of headers is to transmit authorization information, in the form of cookies. Headers describing the type of data returned (text or binary, for instance) can also be of interest. The contents of headers can be inspected using the standard tools built into web browsers. Header information may also be logged by a web server.

Question 27

File

Answer 27

File metadata is stored as attributes. The file system tracks when a file was created, accessed, and modified. A file might be assigned a security attribute, such as marking it as read-only or as a hidden or system file. The ACL attached to a file showing its permissions represents another type of attribute. Finally, the file may have extended attributes recording an author, copyright information, or tags for indexing/searching. In Linux, the ls command can be used to report file system metadata.

Question 28

Netflow/sflow

Answer 28

Netflow
sflow
IPFIX

Question 29

Netflow

Answer 29

A Cisco-developed means of reporting network flow information to a structured database. NetFlow allows better understanding of IP traffic flows as used by different network applications and hosts.

Question 30

sflow

Answer 30

Web standard for using sampling to record network traffic statistics.

Question 31

IPFIX

Answer 31

Standards-based version of the Netflow framework.

Question 32

Protocol analyzer output

Answer 32

A SIEM will store details from sensors at different points on the network. Information captured from network packets can be aggregated and summarized to show overall protocol usage and endpoint activity. The contents of packets can also be recorded for analysis. Recording the full data of every packet—referred to as retrospective network analysis (RNA)—is too costly for most organizations. Typically, packet contents are only retained when indicators from the traffic are correlated as an event. The SIEM software will provide the ability to pivot from the event or alert summary to the underlying packets. Detailed analysis of the packet contents can help to reveal the tools used in an attack. It is also possible to extract binary files such as potential malware for analysis.